Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4419cbaa8336c69…

MALICIOUS

PDF

37.7 KB Authoring application: ImageMagick
MD5: a2e8c638ec9a180e83ffe182bc8efc2d SHA-1: 12bfc2b1f695afe517a709a863ca7bdc2a2c0b5e SHA-256: d4419cbaa8336c69f5cf7ef5849bbcf10fb7b0cfd5119d5635fc1f2b978466a1
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggest this document is part of a phishing or malware distribution chain. The document body itself is heavily corrupted but appears to reference 'Alien Skin Exposure X2 free', likely a lure to entice users to click the embedded links.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://takeabowkilmarnock.com/uploads/1/3/0/4/130476308/c01e0c2e.pdf
    • http://out-the-back-door.com/uploads/1/3/0/5/130551935/ab6d7bd250.pdf
    • http://theselvakids.com/uploads/1/3/0/5/130545097/givogakaxelejob.pdf
    • http://studentcareer.ru/uploads/2020/01/28/024c5eea64b1.pdf
    • http://nyspace.org/uploads/1/3/0/4/130476372/miwawofukexivudepen.pdf
    • http://serpboards.com/uploads/1/3/0/4/130435821/3655457.pdf
    • http://kelufu.aseralle.me/uploads/2020/01/27/6198936.pdf
    • http://youngjoopark.net/uploads/1/3/0/2/130272877/130272877.html#alien+skin+exposure+x2+free

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000110f.bin
dc1258eaecf753a7ca9ebc5521211f93f83f57a2657d5899b1171a4281fba29e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110F 8216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.